public async Task <IActionResult> OnPostDeleteDeviceIdentityAsync(string id)
{
var graphService = GraphServiceClientFactory.GetForUserIdentity(this.User);
await graphService.Applications[id].Request().DeleteAsync();
return(RedirectToPage());
}
public async Task <IActionResult> OnPost()
{
// Generate a unique display name with the prefix so that device identities can be easily retrieved by filtering on that prefix.
var displayName = $"{DeviceDisplayNamePrefix} {Guid.NewGuid().ToString()}";
var description = "Created by Device Identity Provisioning Service";
var graphService = GraphServiceClientFactory.GetForUserIdentity(this.User);
await CreateDeviceIdentityAsync(graphService, displayName, description);
return(RedirectToPage());
}
public async Task OnGet(string notificationMessage)
{
this.NotificationMessage = notificationMessage;
// Find all applications that have a display name that starts with the device prefix.
// In real world scenarios, the actual device list would probably be stored and managed separately from Azure AD.
var graphService = GraphServiceClientFactory.GetForUserIdentity(this.User);
var deviceApplicationRegistrations = await graphService.Applications.Request().Filter($"startswith(displayName,'{DeviceDisplayNamePrefix}')").GetAsync();
this.Devices = deviceApplicationRegistrations.Select(d => new DeviceIdentity(d)).OrderByDescending(d => d.CreatedDateTime).ToArray();
}
public async Task <IActionResult> OnPostUseDeviceIdentityAsync(string id)
{
// Get the device and its details from Azure AD in this case.
var graphService = GraphServiceClientFactory.GetForUserIdentity(this.User);
var deviceApplicationRegistration = await graphService.Applications[id].Request().GetAsync();
var deviceIdentity = new DeviceIdentity(deviceApplicationRegistration);
// Prove that we can actually USE the device identity to make a call to (in this case)
// the Graph API using the permissions/roles that were granted.
var notificationMessage = await CallApiUsingDeviceIdentityAsync(deviceIdentity);
return(RedirectToPage(new { notificationMessage = notificationMessage }));
}
private static async Task <string> CallApiUsingDeviceIdentityAsync(DeviceIdentity deviceIdentity)
{
try
{
var graphService = GraphServiceClientFactory.GetForDeviceIdentity(deviceIdentity);
var users = await graphService.Users.Request().GetAsync();
return($"Successfully retrieved {users.Count} users from the Graph API using the identity of device \"{deviceIdentity.DisplayName}\" in tenant \"{deviceIdentity.TenantId}\", which demonstrates that the device is able to access the Graph API using its provisioned identity.");
}
catch (Exception exc)
{
return($"Failed to retrieve users from the Graph API using the identity of device \"{deviceIdentity.DisplayName}\" in tenant \"{deviceIdentity.TenantId}\": {exc.Message}.");
}
}
public async Task <IActionResult> OnPost()
{
// Revoke consent for the entire organization by removing the Service Principal of the application in the end user's tenant.
var graphService = GraphServiceClientFactory.GetForUserIdentity(this.User);
var deviceIdentityProvisioningAppId = Startup.DeviceIdentityProvisioningAppId;
var deviceIdentityProvisioningServicePrincipal = (await graphService.ServicePrincipals.Request().Filter($"appId eq '{deviceIdentityProvisioningAppId}'").GetAsync()).SingleOrDefault();
var notificationMessage = default(string);
if (deviceIdentityProvisioningServicePrincipal != null)
{
await graphService.ServicePrincipals[deviceIdentityProvisioningServicePrincipal.Id].Request().DeleteAsync();
notificationMessage = "Consent was revoked successfully. Please sign out.";
}
else
{
notificationMessage = "Consent was already revoked. Please sign out.";
}
return(RedirectToPage(new { notificationMessage = notificationMessage }));
}